Static analysis-based tracking of data in access-controlled systems

US 10,467,423 B1
Filed: 03/26/2014
Issued: 11/05/2019
Est. Priority Date: 03/26/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving source code including at least a set of service calls associated with a first set of data stores and a second set of data stores; and

identifying data based at least in part on one or more data variable identifiers of the data to perform static analysis mapping of data flow to generate a data flow map, the data flow map indicating movement of data among the first set of data stores and the second set of data stores, the performance of the static analysis comprising;

obtaining an access control policy that specifies enforcement of an access restriction of a service that causes the exchange of data between a subset of the first set of data stores and a subset of the second set of data stores;

evaluating the source code, based at least in part on the access control policy and one or more data variable identifiers of a data portion, to determine whether the access control policy is violated, wherein evaluating the source code includes parsing service calls made by the source code indicating movement of the data portion from one data store location to another;

updating, based on the evaluation, the data flow map to indicate that the data portion is provided from the first data store of the first set of data stores to the second data store of the second set of data stores; and

using the updated data flow map to identify the location of the data portion and determine whether the data portion was provided from the first data store to the second data store correctly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for identifying a flow of data from a first data store to a second data store are disclosed. In the method and apparatus, a service may send the data from the first data store to the second data store, whereby the service may be associated with an access control policy that specifies whether the service is permitted to send or receive the data. The access control policy may be used as a basis for the evaluation of executable instructions of the service, and evaluation of the executable instructions may be used to identify the first data store or the second data store.

66 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- receiving source code including at least a set of service calls associated with a first set of data stores and a second set of data stores; and
  
  identifying data based at least in part on one or more data variable identifiers of the data to perform static analysis mapping of data flow to generate a data flow map, the data flow map indicating movement of data among the first set of data stores and the second set of data stores, the performance of the static analysis comprising;
  
  obtaining an access control policy that specifies enforcement of an access restriction of a service that causes the exchange of data between a subset of the first set of data stores and a subset of the second set of data stores;
  
  evaluating the source code, based at least in part on the access control policy and one or more data variable identifiers of a data portion, to determine whether the access control policy is violated, wherein evaluating the source code includes parsing service calls made by the source code indicating movement of the data portion from one data store location to another;
  
  updating, based on the evaluation, the data flow map to indicate that the data portion is provided from the first data store of the first set of data stores to the second data store of the second set of data stores; and
  
  using the updated data flow map to identify the location of the data portion and determine whether the data portion was provided from the first data store to the second data store correctly.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, further comprising performing one or more corrective actions based at least in part on identifying the first data store of the first set of data stores or the second data store of the second set of data stores.
  - 3. The computer-implemented method of claim 2, wherein the one or more corrective actions include deleting the data portion from the second data store of the second set of data stores or providing, to a device associated with an administrator, an indication that the data portion is stored in the second data store of the second set of data stores.
  - 4. The computer-implemented method of claim 1, wherein evaluating the source code further includes:
    - identifying incidences of occurrence of the one or more data variable identifiers associated with the data portion in the source code; and
      
      simulating execution of the source code in a simulation environment to identify whether the source code causes the data portion to be sent from the first data store of the first set of data stores to the second data store of the second set of data stores.

5. A system comprising:
- memory to store instructions that, as a result of being executed by one or more processors of the system, cause the system to;
  
  for a computing system having a set of access privileges that specifies enforcement of an access restriction of a service that causes the exchange of data between a source and a destination, generate an evaluation of one or more instructions by parsing a call tree of a set of service calls to identify data movement based at least in part on one or more variable names associated with the data of the computer system, to determine whether the computer system causes data to be sent from the source to the destination, the evaluation being performed based at least in part on the set of access privileges and one or more variable names associated with the data, and the evaluation including information, based at least in part on whether the access privileges are violated, indicating a flow of data among the source, the destination, and the computing system; and
  
  perform one or more operations based at least in part on the evaluation to determine whether the data exchanged between the source and destination was performed correctly.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein:
    - generating the evaluation of the one or more instructions based at least in part on the set of access privileges further includes utilizing the access privileges to limit a scope of instruction evaluation to the one or more instructions; and
      
      the set of access privileges specifying that the computing system is permitted to access the source and the destination.
  - 7. The system of claim 5, wherein:
    - the set of service calls are made by the computing system; and
      
      the set of service calls cause the data to be retrieved from the source or be provided for storage in the destination.
  - 8. The system of claim 5, wherein generating an evaluation of the one or more instructions further includes evaluating possible flows of the call tree to identify whether the one or more instructions cause the data to be sent from the source to the destination.
  - 9. The system of claim 5, wherein the instructions that, as a result of being executed by the one or more processors of the system, further cause the system to perform one or more corrective actions based at least in part on the evaluation.
  - 10. The system of claim 9, wherein:
    - the instructions that, as a result of being executed by the one or more processors of the system, further cause the system to determine whether the data is categorized as sensitive or secretive;
      
      in response to determining that the data is categorized as sensitive or secretive, the one or more corrective actions comprise deleting the data from the destination; and
      
      the destination is a data store.
  - 11. The system of claim 5, wherein:
    - the instructions that, as a result of being executed by the one or more processors of the system, further cause the system to determine an identity associated with the data based at least in part on references made to the data; and
      
      wherein the one or more variable names further include method names given to the data.
  - 12. The system of claim 5, wherein:
    - the source is a member of a set of sources and the destination is a member of a set of destinations; and
      
      the set of sources and the set of destinations are identified prior to generating an evaluation of one or more instructions.

13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- identify a destination for a data portion to generate an identification, generating the identification including obtaining an access control policy that specifies enforcement of an access restriction of a service that causes the exchange of data between a source and a destination and evaluating computer system code by parsing a service call to a service indicating movement of the data portion, based at least in part on one or more data variable identifiers and the access control policy to determine whether the access control policy is violated, the computer system code retrieving the data portion from the source and providing the data portion to the destination for use;
  
  generate a mapping indicating transmission of the data portion from the source to the destination based at least in part on the identification and the evaluation; and
  
  use the mapping to determine whether the data portion is provided correctly.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to delete the data portion from the destination or send, to a device associated with an administrator, a notification that the data portion is stored in the destination.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to receive one or more method names associated with the one or more data variable identifiers; and
      
      the instructions that cause the computer system to evaluate the computer system code further include instructions that cause the computer system to evaluate the computer system code based at least in part on the one or more method names.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the instructions that cause the computer system to evaluate the computer system code based at least in part on the one or more data variable identifiers further include instructions that cause the computer system to:
    - identify references to the one or more data variable identifiers in the computer system code; and
      
      simulate, in a simulation environment, execution of the computer system code to determine whether the computer system code causes the data portion to be sent, via the service, from the source to the destination.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - prior to evaluating the computer system code, determine whether an access restriction permits the service to cause the data portion to be retrieved from the source and provided to the destination; and
      
      initiate evaluating the computer system code on a condition that the access restriction permits the service to cause the data portion to be retrieved from the source and provided to the destination.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the computer system code is retained by an instruction repository and provided to the service for execution.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the computer system code specifies one or more application programming interface (API) service calls made by the service; and
      
      at least one API service call of the one or more API service calls enables the service to retrieve the data portion from the source and provide the data portion to the destination.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the service, the source, and the destination are subject to a system-wide access control policy; and
      
      the access control policy specifies enforcement of an access restriction of the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
McClintock, Jon Arron, Sethi, Tushaar, Van Horenbeeck, Maarten
Primary Examiner(s)
Thai, Hanh B

Application Number

US14/225,958
Time in Patent Office

2,050 Days
Field of Search

707781, 707783, 707786
US Class Current
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Static analysis-based tracking of data in access-controlled systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

66 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Static analysis-based tracking of data in access-controlled systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links